diff --git a/security/split-gpg.md b/security/split-gpg.md
index 64d0b759..becc456d 100644
--- a/security/split-gpg.md
+++ b/security/split-gpg.md
@@ -171,6 +171,19 @@ passphrase from your (sub)key(s) in order to get Split-GPG working correctly.
 As mentioned above, we do not believe PGP key passphrases to be significant
 from a security perspective.
 
+### Thunderbird + Enigmail in Qubes 4.0 ###
+
+New qrexec policies in Qubes R4.0 by default require the user to enter the name 
+of the domain containing GPG keys each time it is accessed.  To improve usability 
+for Thunderbird+Enigmail, in `dom0` place the following line at the top of the file 
+`/etc/qubes-rpc/policy/qubes.Gpg`:
+
+```
+work-email  work-gpg  allow
+```
+where `work-email` is the Thunderbird+Enigmail AppVM and `work-gpg` contains 
+your GPG keys.
+
 ## Using Git with Split GPG ##
 
 Git can be configured to used with Split-GPG, something useful if you would
@@ -227,20 +240,6 @@ displayed to accept this.
 
 <br />
 
-Qubes 4.0
----------
-New qrexec policies in Qubes R4.0 by default require the user to enter the name 
-of the domain containing GPG keys each time it is accessed.  To improve usability 
-for Thunderbird+Enigmail, in `dom0` place the following line at the top of the file 
-`/etc/qubes-rpc/policy/qubes.Gpg`:
-
-```
-work-email  work-gpg  allow
-```
-where `work-email` is the Thunderbird+Enigmail AppVM and `work-gpg` contains 
-your GPG keys.
-
-<br />
 
 Advanced: Using Split GPG with Subkeys
 --------------------------------------